Two new spyware campaigns targeting Android users, known as ProSpy and ToSpy, are using deceptive tactics to pose as legitimate updates or add-ons for the popular messaging apps Signal and ToTok. Their goal is clear: to gain access to sensitive data stored on devices, such as messages, contacts, location, and more.
To make the malicious files appear trustworthy, the attackers created fake websites that perfectly mimicked the official platforms, increasing the chances that users would install the apps without suspecting a thing.
In case you're not familiar, Signal is a privacy-focused messaging app with end-to-end encryption and over 100 million downloads on Google Play. ToTok, on the other hand, was developed by G42, a company based in the United Arab Emirates.
Although it was removed from Apple and Google’s official stores in 2019 after allegations of being used for surveillance purposes, it can still be downloaded from its website and third-party app stores.
At TecnetOne, we keep you informed about these emerging threats so you can protect your data and keep your device safe.
The ProSpy spyware campaign has been operating quietly since at least 2024, and all signs point to users in the United Arab Emirates as its main target. Although the activity was officially identified in June, evidence suggests that the attackers had been operating under the radar for some time.
Analysis of the campaign revealed two entirely new spyware variants designed to impersonate legitimate tools: a supposed encryption extension for Signal and a “Pro” version of the ToTok app. Interestingly, neither of these features or versions actually exists, highlighting the level of deception behind these malicious apps.
To distribute the infected files (in APK format), the attackers created fake websites that mimicked official pages. Some of these domains cloned the Signal website, such as signal.ct[.]ws or encryption-plug-in-signal.com-ae[.]net/, while others impersonated official stores like the Samsung Galaxy Store, using addresses like store.latestversion[.]ai or store.appupdate[.]ai.
Everything was designed to look legitimate and trustworthy, making it easy for unsuspecting users to fall into the trap.
Fake Signal Plugin Website (Source: ESET)
When attempting to access the websites used to distribute the malware, researchers found that most were already offline, while others simply redirected to the official ToTok site. This technique is common in malware campaigns and serves a clear purpose: to avoid suspicion and appear legitimate at first glance.
Once the malicious ProSpy app is installed on an Android device, it requests standard permissions typically granted to any messaging app, such as access to contacts, SMS, and stored files. But what it does with that information is the real concern.
Once active, the malware begins collecting a wide range of personal data, including:
Device information: hardware, operating system, IP address
Stored SMS messages
Contact list
Personal files (photos, videos, documents, audio recordings)
ToTok backup files
List of installed apps
To avoid detection, ProSpy disguises itself using the name and icon of “Google Play Services,” an app almost every user recognizes and rarely questions. When the icon is tapped, the malware redirects to the legitimate app’s info screen, making everything seem normal.
Additionally, if the malware detects that the official Signal or ToTok app is not installed on the device, it automatically redirects the user to the legitimate download site. This “double-play” tactic is designed to maintain user trust while the malware operates quietly in the background.
Below, we’ll show you a diagram explaining how ProSpy manages to infiltrate, collect data, and remain hidden without raising alarms.
ProSpy Execution Flow
Read more: SnakeStealer: The Infostealer Dominating Password Theft in 2025
Although it remains active today, all signs suggest that the ToSpy campaign may have started over two years ago, possibly as early as 2022. Several elements uncovered during the operation’s analysis support this theory.
For instance, a developer certificate was found that was created on May 24, 2022, along with a domain linked to the spyware’s distribution and command-and-control (C2) infrastructure, which was registered just days earlier on May 18. Malware samples were also uploaded to VirusTotal on June 30 of the same year.
All of this evidence indicates that ToSpy is not a new threat, but rather a long-running campaign that has managed to stay active and evolve over time, using increasingly sophisticated techniques to avoid detection.
Fake Galaxy Store Page
The fake version of ToTok used in this spyware campaign wastes no time: as soon as it’s installed, it requests access to the device’s contacts and storage—permissions that might seem normal for a messaging app. However, once granted, it begins collecting all kinds of personal data, with a particular focus on:
Documents
Images and videos
ToTok chat backups (files with a .ttkmbackup extension)
To further conceal its behavior, the malware encrypts all stolen data before sending it to the attacker’s servers. It uses AES in CBC mode, a common symmetric encryption algorithm that makes the stolen data appear harmless in transit.
But the deception doesn’t stop there. To avoid raising suspicion, if the user opens the fake app and the original ToTok is installed, the malware automatically launches the legitimate app, making everything seem normal. If the real app isn’t present on the device, it tries to redirect the user to the Huawei AppGallery—either through the app itself or the default web browser—so they can download the legitimate version.
This kind of behavior—blending an apparently legitimate experience with hidden spyware functionality—is an increasingly common tactic in sophisticated mobile malware campaigns.
ToSpy Execution Flow
Read more: Cybersecurity Awareness: Why One Annual Talk Isn’t Enough
Both ProSpy and ToSpy are designed to remain active on infected devices for as long as possible. To achieve this, they use three highly effective persistence mechanisms that allow them to keep running—even after the phone is restarted or the user tries to remove them:
They abuse Android’s “AlarmManager” API to automatically reactivate themselves if the app is deleted or force-closed.
They run a foreground service with a persistent notification, which makes Android treat them as important processes, preventing the system from easily shutting them down.
They register to receive the BOOT_COMPLETED event, allowing them to automatically restart when the phone is turned on, without any user interaction.
Additionally, while ESET has published a complete list of indicators of compromise (IoCs) associated with these campaigns—which helps researchers and security tools detect the spyware—there is still no clear attribution as to who is behind these attacks.
At TecnetOne, we’re sharing key recommendations to help you stay safe:
Download only from official sources. Always use the Google Play Store or, if you need an external app, make sure to get it directly from the developer’s official website.
Enable Google Play Protect. This built-in Android tool automatically scans your apps to detect known threats and prevent suspicious behavior.
Avoid installing APK files from untrusted sources, especially if they come from unexpected messages, emails, or links.
Review and manage app permissions. If a messaging app asks for access to your microphone, location, files, and more, be sure it truly needs those permissions to function.
At TecnetOne, we believe prevention is your best defense. Staying informed and following these best practices can make the difference between a secure device and a compromised one.